Prevent Critical Storage Resource Deletion

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Policies, and select an OCI compartment from the Compartment dropdown menu available next to Applied filters, to list the access policies created for that compartment.

04 Click on the name (link) of the access policy that you want to examine, listed in the Name column.

05 Select the Statements tab and check the Policy Statements section to determine whether the selected policy enforce non-deletion privileges for storage service-level administrators. A compliant policy statement that prevents storage service-level administrators to delete the resources they manage and has the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<storage-resource-type\> in TENANCY where request.permission!='\<STORAGE-RESOURCE-TYPE\>_DELETE', where \<STORAGE-RESOURCE-TYPE\> can be VOLUME, VOLUME_BACKUP, FILE_SYSTEM, MOUNT_TARGET, EXPORT_SET, BUCKET, and OBJECT. For example, Allow GROUP VolumeAdmins to manage volumes in TENANCY where request.permission!='VOLUME_DELETE'. If no such statements exist, the policy does not enforce non-deletion privileges for storage service-level administrators, therefore, the policy is not compliant.

06 Repeat steps no. 4 and 5 for each policy created within the selected OCI compartment. If no compliant policies are identified, this indicates that OCI storage service-level administrators are not prevented from deleting the storage resources they manage.

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam policy list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the access policies defined for the selected compartment:

oci iam policy list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' | grep -i -e "in tenancy" -e 'in compartment' -e "ocid1.policy.oc1"

04 The command output should return the IDs of the requested access policies (and their policy statements):

"Allow GROUP VolumeAdmins to manage volumes in TENANCY"
"id": "ocid1.policy.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",

"Allow GROUP ObjectStorageAdmins to manage buckets in TENANCY"
"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd123abcd123ad",

"ALLOW GROUP Administrators to manage all-resources IN TENANCY"
"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Policies, and select an OCI compartment from the Compartment dropdown menu available next to Applied filters, to list the access policies created for that compartment.

04 Click on the name (link) of the non-compliant access policy that you want to configure.

05 Select the Statements tab, choose Edit Policy Statements, and find the policy statement that allows storage service-level administrators to manage their resources without restriction, i.e., Allow GROUP \<service-level-group-name\> to \<verb\> \<storage-resource-type\> in TENANCY. Replace the non-compliant policy statement with Allow GROUP \<service-level-group-name\> to \<verb\> \<storage-resource-type\> in TENANCY where request.permission!='\<STORAGE-RESOURCE-TYPE\>_DELETE', where \<STORAGE-RESOURCE-TYPE\> can be VOLUME, VOLUME_BACKUP, FILE_SYSTEM, MOUNT_TARGET, EXPORT_SET, BUCKET, and OBJECT. Make sure that you replace \<service-level-group-name\>, \<verb\>, \<storage-resource-type\>, and \<STORAGE-RESOURCE-TYPE\> with your own details. For example, a compliant policy statement should look like this: Allow GROUP VolumeAdmins to manage volumes in TENANCY where request.permission!='VOLUME_DELETE'. Choose Save Changes to apply the changes.

06 Repeat steps no. 4 and 5 for each access policy that you want to configure, available in the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

01 Run iam policy get command (Windows/macOS/Linux) to describe the policy statements defined for the access policy that allows storage service-level administrators to manage their resources without restriction:

oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."statements"'

02 The command output should return the requested policy statements:

[
	"Allow GROUP VolumeAdmins to manage volumes in TENANCY"
]

03 Replace the non-compliant policy statement returned in the previous step, i.e., Allow GROUP \<service-level-group-name\> to \<verb\> \<storage-resource-type\> in TENANCY with Allow GROUP \<service-level-group-name\> to \<verb\> \<storage-resource-type\> in TENANCY where request.permission!='\<STORAGE-RESOURCE-TYPE\>_DELETE', where \<STORAGE-RESOURCE-TYPE\> can be VOLUME, VOLUME_BACKUP, FILE_SYSTEM, MOUNT_TARGET, EXPORT_SET, BUCKET, and OBJECT. Ensure that you replace \<service-level-group-name\>, \<verb\>, \<storage-resource-type\>, and \<STORAGE-RESOURCE-TYPE\> with your own details. For example, a compliant policy statement should look like this: Allow GROUP VolumeAdmins to manage volumes in TENANCY where request.permission!='VOLUME_DELETE'.

04 Run iam policy update command (Windows/macOS/Linux) to update the specified access policy with the statement modified in the previous step. IMPORTANT: The value passed to --statements parameter will overwrite all existing statements for the selected policy, therefore, ensure that you add all the existing policy statements to the --statements parameter value. As an example, the following command will add only one statement, the one modified in the previous step, to the specified policy:

oci iam policy update
	--policy-id 'ocid1.policy.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--statements '["Allow GROUP VolumeAdmins to manage volumes in TENANCY where request.permission!='VOLUME_DELETE'"]'
	--version-date '2025-12-03'

05 Type Y and press Enter to confirm the policy changes:

WARNING: The value passed to statements will overwrite all existing statements for this policy. The existing statements are:

[
	"Allow GROUP VolumeAdmins to manage volumes in TENANCY"
]

Are you sure you want to continue? [y/N]: Y

06 The command output should return the resource information available for the modified access policy:

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Project5 Storage Access Policy",
		"freeform-tags": {},
		"id": "ocid1.policy.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"inactive-status": null,
		"lifecycle-state": "ACTIVE",
		"name": "cc-storage-admin-policy",
		"statements": [
			"Allow GROUP VolumeAdmins to manage volumes in TENANCY where request.permission!='VOLUME_DELETE'"
		],
		"time-created": "2025-12-03T08:26:35.413000+00:00",
		"version-date": "2025-12-03T00:00:00+00:00"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

07 Repeat steps no. 1 - 5 for each access policy that you want to configure, available within the selected Oracle Cloud Infrastructure (OCI) compartment.

08 Repeat steps no. 1 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.